Mikrotik - IPv6 PDF

Contents
Articles
Manual:IPv6/Address 1
Manual:IPv6/DHCP Client 8
Manual:IPv6/DHCP Server 12
Manual:IPv6/Firewall 15
Manual:IPv6/Firewall/Address-list 16
Manual:IPv6/Firewall/Filter 16
Manual:IPv6/Firewall/Mangle 17
Manual:IPv6/ND 17
Manual:IPv6/Neighbors 22
Manual:IPv6/Pool 23
Manual:IPv6/Route 24
Manual:IPv6/Settings 27
Manual:IPv6 Overview 28
Manual:Simple Static IPv6 Routing 33
Manual:My First IPv6 Network 35
Manual:OSPFv3 with Quagga 39
Manual:Creating IPv6 loopback address 42
References
Article Sources and Contributors 43
Image Sources, Licenses and Contributors 44
Manual:IPv6/Address
Applies to RouterOS: v3, v4 +
Summary
Sub-menu: /ipv6 address
Standards: RFC 4291
IPv6 uses 16 bytes addresses compared to 4 byte addresses in IPv4. IPv6 address syntax and types are described in
RFC 4291.
There are multiple IPv6 address types, that can be recognized by their prefix. RouterOS distinguishes the following:
multicast (with prefix ff00::/8)
link-local (with prefix fe80::/10)
loopback (the address ::1/128)
unspecified (the address ::/128)
other (all other addresses, including the obsoleted site-local addresses, and RFC 4193 unique local addresses; they
all are treated as global unicast).
One difference between IPv6 and IPv4 addressing is that IPv6 automatically generates a link-local IPv6 address for
each active interface that has IPv6 support.
Address Expression
IPv6 addresses are represented a little bit different than IPv4 addresses. For IPv6, the 128-bit address is divided in
eight 16-bit blocks, and each 16-bit block is converted to a 4-digit hexadecimal number and separated by colons. The
resulting representation is called colon-hexadecimal.
In example above IPv6 address in binary format is converted to colon-hexadecimal representation
0010000000000001 0000010001110000 0001111100001001 0000000100110001

0000000000000000 0000000000000000 0000000000000000 0000000000001001
2001:0470:1f09:0131:0000:0000:0000:0009
IPv6 address can be further simplified by removing leading zeros in each block:
2001:470:1f09:131:0:0:0:9
As you can see IPv6 addresses can have long sequences of zeros. These contiguous sequence can be compressed to ::
2001:470:1f09:131::9
Note: Zero compression can only be used once. Otherwise, you could not determine the number of 0 bits
represented by each instance of a double-colon
Prefix
IPv6 prefix is written in address/prefix-length format. Compared to IPv4 decimal
representation of network mask cannot be used. Prefix examples:
2001:470:1f09:131::/64
2001:db8:1234::/48
2607:f580::/32
2000::/3
Address Types
Several IPv6 address types exist:
Unicast
Anycast
Multicast
As you can see there are no Broadcast addresses in ipv6 network, compared to IPv4 broadcast functionality was
completely replaced with multicast.
Unicast Addresses
Packets addressed to a unicast address are delivered only to a single interface. To this group belong:
globally unique addresses and can be used to connect to addresses with global scope anywhere.
link-local addresses
site-local addresses (FEC0::/48) - deprecated
special purpose addresses
compatibility addresses
Global unicast address can be automatically assigned to the node by Stateless Address auto-configuration. Read
More >>.
Link-local address
A link-local address is required on every IPv6-enabled interface, applications may rely on the existence of a
link-local address even when there is no IPv6 routing, that is why link-local address is generated automatically for
every active interface using it's interface identifier (calculated EUI-64 from MAC address if present). Address prefix
is always FE80::/64 and IPv6 router never forwards link-local traffic beyond the link.
These addresses are comparable to the auto-configuration addresses 169.254.0.0/16 of IPv4.
A link-local address is also required for Neighbor Discovery processes.
Note: If interface is set as bridge port, interface specific link-local address is removed leaving only bridge
link-local address
Special purpose address

Address Description
Unspecified address Never assigned to an interface or used as a destination address, used only to indicate the absence of an address.
(::/128) Equivalent to IPv4 0.0.0.0 address.
loopback address Used to identify a loopback interface, enabling a node to send packets to itself. It is equivalent to the IPv4
(::1/128) loopback address of 127.0.0.1.
Compatibility address
Address Description
IPv4 used by dual-stack nodes that are communicating with IPv6 over an IPv4 infrastructure. When the IPv4-compatible address is
compatible used as an IPv6 destination, IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination by
address using the IPv4 infrastructure. Address is written in following format ::w.x.y.z, where w.x.y.z is the dotted decimal
representation of a public IPv4 address.
IPv4 mapped used to represent an IPv4-only node to an IPv6 node. It is used only for internal representation. The IPv4-mapped address is
address never used as a source or destination address for an IPv6 packet. The IPv6 protocol does not support the use of IPv4-mapped
addresses. Address is written in following format: ::ffff:w.x.y.z, where w.x.y.z is the dotted decimal representation of
a public IPv4 address.
2002::/16 this prefix is used for 6to4 addressing. Here, an address from the IPv4 network 192.88.99.0/24 is also used.
Multicast address
Most important multicast aspects are:
traffic is sent to a single address but is processed by multiple hosts;
group membership is dynamic, allowing hosts to join and leave the group at any time;
in IPv6, Multicast Listener Discovery (MLD) messages are used to determine group membership on a network
segment, also known as a link or subnet;
host can send traffic to the group's address without belonging to the corresponding group.
A single IPv6 multicast address identifies each multicast group. Each group's reserved IPv6 address is shared by all
host members of the group who listen and receive any IPv6 messages sent to the group's address.
Multicast address consists of the following parts: [1]
The first 8 bits in multicast address is always 1111 1111 (which is FF in hexadecimal format).
Flag uses the 9th to 12th bit and shows if this multicast address is predefined (well-known) or not. If it is
well-known, all bits are 0s.
Scope ID indicates to which scope multicast address belongs, for example, Scope ID=2 is link-local scope.
Group ID is used to specify a multicast group. There are predefined group IDs, such as Group ID=1 - all nodes.
Therefore, if multicast address is ff02::1, that means Scope ID=2 and Group ID=1, indicating all nodes in
link-local scope. This is analogous to broadcast in IPv4.
Here is the table of reserved IPV6 addresses for multicasting:
Address Description
FF02::1 The all-nodes address used to reach all nodes on the same link.
FF02::2 The all-routers address used to reach all routers on the same link.
FF02::5 The all-Open Shortest Path First (OSPF) routers address used to reach all OSPF routers on the same link.
FF02::6 The all-OSPF designated routers address used to reach all OSPF designated routers on the same link.
FF02::1:FFXX:XXXX The solicited-node address used in the address resolution process to resolve the IPv6 address of a link-local node to its
link-layer address. The last 24 bits (XX:XXXX) of the solicited-node address are the last 24 bits of an IPv6 unicast
address.
The following table is a partial list of IPv6 multicast addresses that are reserved for IPv6 multicasting and registered
with the Internet Assigned Numbers Authority (IANA). For complete list of assigned addresses read IANA
document [2].
Multicast addresses can be used to discover nodes in a network. For example, discover all nodes
mrz@bumba:/media/aaa/ver$ ping6 ff02::1%eth0

PING ff02::1%eth0(ff02::1) 56 data bytes
64 bytes from fe80::21a:4dff:fe5d:8e56: icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from fe80::20c:42ff:fe0d:2c38: icmp_seq=1 ttl=64 time=4.03 ms (DUP!)
64 bytes from fe80::20c:42ff:fe28:7945: icmp_seq=1 ttl=64 time=5.59 ms (DUP!)
64 bytes from fe80::20c:42ff:fe49:fce5: icmp_seq=1 ttl=64 time=5.60 ms (DUP!)
64 bytes from fe80::20c:42ff:fe21:f1ec: icmp_seq=1 ttl=64 time=5.88 ms (DUP!)
64 bytes from fe80::20c:42ff:fe72:a1b0: icmp_seq=1 ttl=64 time=6.70 ms (DUP!)
discover all routers
mrz@bumba:/media/aaa/ver$ ping6 ff02::2%eth0

PING ff02::2%eth0(ff02::2) 56 data bytes
64 bytes from fe80::20c:42ff:fe28:7945: icmp_seq=1 ttl=64 time=0.672 ms
64 bytes from fe80::20c:42ff:fe0d:2c38: icmp_seq=1 ttl=64 time=1.44 ms (DUP!)
Anycast address
Anycast address is a new type of address incorporated in IPv6.
Anycasting is a new networking paradigm supporting serviceoriented Addresses where an identical address can be
assigned to multiple nodes providing a specific service. An anycast packet (i.e., one with an anycast destination
address) is delivered to one of these nodes with the same anycast address.
Anycast address is not assigned a specific address range. It is assigned from unicast address range.
Interface Identifier
The last 64 bits of an IPv6 address are the interface identifier that is unique to the 64-bit prefix of the IPv6 address.
There are several ways how to determine interface identifier:
EUI-64;
randomly generated to provide a level of anonymity;
manually configured.
EUI-64
Traditional interface identifiers for network adapters are 48-bit MAC address. This address consists of a 24-bit
manufacturer ID and a 24-bit board ID.
IEEE EUI-64 is a new standard for network interface addressing. The company ID is still 24-bits in length, but the
extension ID is 40 bits, creating a much larger address space for a network adapters.
To create an EUI-64 address from the interface MAC address:
0xFFFE is inserted into the MAC address between the manufacturer ID and the board ID.
seventh bit of the first byte is reversed.
Lets make an example with following MAC address 00:0C:42:28:79:45.
Image above illustrates conversation process. When the result is converted to colon-hexadecimal notation, we get
the interface identifier 20C:42FF:FE28:7945. As the result, corresponds link-local address is
FE80::20C:42FF:FE28:7945/64
In RouterOS, if the eui-64 parameter of an address is configured, the last 64 bits of that address will be automatically
generated and updated using interface identifier. The last bits must be configured to be zero for this case. Example:
[admin@MikroTik] > ipv6 address add address=fc00:3::/64 interface=ether3 eui-64=yes

[admin@MikroTik] > ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS INTERFACE ADVERTISE
...
5 G fc00:3::20c:42ff:fe1d:3d4/64 ether3 yes
[admin@MikroTik] > interface ethernet set ether3 mac-address=10:00:00:00:00:01
...
5 G fc00:3::1200:ff:fe00:1/64 ether3 yes
Properties
Property Description
address Ipv6 address. Allowed netmask range is 0..128. Address can also be constructed from the pool if from-pool property
(Address/Netmask; Default: is specified.
) For example if address is set to ::1/64 then address will be constructed as follows <prefix_from_pool>::1/64
advertise (yes | no; Whether to enable stateless address configuration. The prefix of that address is automatically advertised to hosts
Default: no) using ICMPv6 protocol. The option is set by default for addresses with prefix length 64. Read more >>
comment (string; Default: ) Descriptive name of an item
disabled (yes | no; Whether address is disabled or not. By default it is disabled

Default: no)
eui-64 (yes | no; Default: Whether to calculate EUI-64 address and use it as last 64 bits of the IPv6 address. Read more >>
no)
from-pool (string; Name of the pool from which prefix will be taken to construct IPv6 address taking last part of the address from
Default: ) address property. See example >>
interface (string; Name of an interface on which Ipv6 address is set.

Default: )
Read-only properties
actual-interface Actual interface on which address is set up. For example, if address was configured on ethernet interface and ethernet
(string) interface was added to bridge, then actual interface is bridge not ethernet.
dynamic (yes | no) Whether address is dynamically created
global (yes | no) Whether address is global
invalid (yes | no)
link-local (yes | no) Whether address is link local
Examples
Manual address configuration

This example shows how to set up simple addressing with global IPv6 addresses between two routers.
R1 configuration:
/ipv6 address
add address=2001:DB8::1/64 interface=ether1 advertise=no
R2 configuration:
/ipv6 address
add address=2001:DB8::2/64 interface=ether1 advertise=no
Check address list
[admin@R1] /ipv6 address> print

# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:db8::1/64 ether1 no
3 DL fe80::219:d1ff:fe39:3535/64 ether1 no
Notice that our added address has G flag indicated that this address can be globally routed. We also have link local
address on the interface which is created automatically for every IPv6 capable interface.
Test connectivity
[admin@R1] /ipv6 address> /ping 2001:DB8::2

HOST SIZE TTL TIME STATUS
2001:db8::2 56 64 12ms echo reply
2001:db8::2 56 64 0ms echo reply
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=6ms max-rtt=12ms
[ Top | Back to Content ]
References
[1] http:/ / www. ipv6style. jp/ files/ ipv6/ en/ tech/ 20030228/ images/ 1. gif
[2] http:/ / www. iana. org/ assignments/ ipv6-multicast-addresses/
Manual:IPv6/DHCP Client
Applies to RouterOS: v5.9 +
Summary
Currently DHCPv6 client can receive only delegated prefix from DHCPv6-PD server.
Quick setup example

This simple example demonstrates how to enable dhcp client to receive IPv6 prefix and add it to the pool.
/ipv6 dhcp-client add pool-name=test-ipv6 pool-prefix-length=64 interface=ether13
Detailed print should show status of the client and we can verify if prefix is received
[admin@x86-test] /ipv6 dhcp-client> print detail

Flags: D - dynamic, X - disabled, I - invalid
0 interface=bypass pool-name="test-ipv6" pool-prefix-length=64 status=bound
prefix=2001:db8:7501:ff04::/62 expires-after=2d23h11m53s
Notice that server gave us prefix 2a02:610:7501:ff04::/62 . And it should be also added to ipv6 pools
[admin@MikroTik] /ipv6 pool> print
Flags: D - dynamic
# NAME PREFIX PREFIX-LENGTH
0 D test-ipv6 2001:db8:7501:ff04::/62 64
It works! Now you can use this pool, for example, for pppoe clients.
Properties
Sub-menu: /ipv6 dhcp-client
add-default-route (yes | no; Whether to add default IPv6 route after client connects.
Default: no)
comment (string; Default: ) Short description of the client
disabled (yes | no; Default: no)
interface (string; Default: ) Interface on which DHCPv6 client will be running.
pool-name (string; Default: ) Name of the IPv6 pool in which received IPv6 prefix will be added
pool-prefix-length (string; Prefix length parameter that will be set for IPv6 pool in which received IPv6 prefix is added. Prefix length
Default: ) must be greater than the length of received prefix, otherwise prefix-length will be set to received prefix length
+ 8 bits.
Status
Command /ipv6 dhcp-client print detail will show current status of dhcp client and read-only
properties listed in table below:
duid (string) Auto generated DUID that is sent to the server. DUID is generated using one of
the MAC addresses available on the router.
dynamic (yes | no)
expires-after (time) Time when the IPv6 prefix expires (specified by the DHCPv6 server).
invalid (yes | no) Shows whether configuration is invalid.
prefix (IPv6 prefix) Shows received IPv6 prefix from DHCPv6-PD server
status (stopped | searching | requesting... | bound | renewing | Shows the status of DHCPv6 Client:
rebinding | error | stopping) stopped - dhcpv6 client is stopped
searching - sending "solicit" and trying to get "advertise"
requesting - sent "request" waiting for "reply"
bound - received "reply". Prefix assigned.
renewing - sent "renew", waiting for "reply"
rebinding - sent "rebind", waiting for "reply"
error - reply was not received in time or some other error ocurred.
stopping - sent "release"
To determine what IAID will be used, convert internal ID of an interface on which DHCP client is running from hex
to decimal.
For example, DHCP client is running on interface pppoe-out1. To get internal ID use following command
[admin@t36] /interface> :put [find name="pppoe-out1"]

*15
Now convert hex value 15 to decimal and you get IAID=21
Menu specific commands

release Release current binding and restart DHCPv6 client

(numbers)
renew Renew current leases. If the renew operation was not successful, client tries to reinitialize lease (i.e. it starts lease request
(numbers) procedure (rebind) as if it had not received an IP address yet)
Application Examples
Use received prefix for local RA

Consider following setup:
ISP is routing prefix 2001:DB8::/62 to the router R1

Router R1 runs DHCPv6 server to delegate /64 prefixes to the customer routers CE1 CE2
DHCP client on routers CE1 and CE2 receives delegated /64 prefix from the DHCP server (R1).
Client routers uses received prefix to set up RA on the local interface
Configuration
R1
/ipv6 route
add gateway=fe80::1:1%to-ISP
/ipv6 pool
add name=myPool prefix=2001:db8::/62 prefix-length=64
/ipv6 dhcp-server
add address-pool=myPool disabled=no interface=to-CE-routers lease-time=3m name=server1
CE1
/ipv6 dhcp-client
add interface=to-R1 pool-name=my-ipv6
/ipv6 address
add address=::1/64 from-pool=my-ipv6 interface=to-clients advertise=yes
CE2
/ipv6 dhcp-client
add interface=to-R1 pool-name=my-ipv6
/ipv6 address
add address=::1/64 from-pool=my-ipv6 interface=to-clients advertise=yes
Check the status

After configuration is complete we can verify that each CE router received its own prefix
On server:
[admin@R1] /ipv6 dhcp-server binding> print
Flags: X - disabled, D - dynamic
# ADDRESS DUID IAID SERVER STATUS
1 D 2001:db8:1::/64 0019d1393536 566 server1 bound
2 D 2001:db8:2::/64 0019d1393535 565 server1 bound
On client:
[admin@CE1] /ipv6 dhcp-client> print

Flags: D - dynamic, X - disabled, I - invalid
# INTERFACE STATUS PREFIX
0 to-R1 bound 2001:db8:1::/64
[admin@CE1] /ipv6 dhcp-client> /ipv6 pool print

Flags: D - dynamic
0 D my-ipv6 2001:db8:1::/64 64
We can also see that IPv6 address was automatically added from the prefix pool:
[admin@CE1] /ipv6 address> print

0 G 2001:db8:1::1/64 to-clients yes
..
And pool usage shows that 'Address' is allocating the pool
[admin@CE1] /ipv6 pool used> print

POOL PREFIX OWNER INFO
my-ipv6 2001:db8:1::/64 Address to-clients

Manual:IPv6/DHCP Server
Applies to RouterOS: v5.9+
Summary
Standards: RFC 3315, RFC 3633
Package: dhcp,ipv6
Starting from v5.9 DHCPv6 server is moved to /ipv6 sub menu
Single DUID is used for client and server identification, only IAID will vary between cients corresponding to their
assigned interface.
Client binding creates dynamic pool with timeout set to binding's expiration time (note that now dynamic pools can
have a timeout), which will be updated every time binding gets renewed.
When client is bound to prefix, DHCP server adds routing information to know how to reach assigned prefix.
Client bindings in server does not show MAC address anymore (as it was in v5.8), DUID (hex) and IAID are used
instead. After upgrade MAC addresses will be converted to DUIDs automatically, but due to unknown DUID type
and unknown IAID, they should be further updated by user;
General
Sub-menu: /ipv6 dhcp-server
This sub menu lists and allows to configure DHCPv6 servers.
Properties
authoritative (after-10sec-delay | Whether the DHCP server is the only one DHCP server for the network:
after-2sec-delay | yes | no; Default: after-10sec-delay - to clients request for an address, dhcp server will wait 10 seconds and if
after-2sec-delay) there is another request from the client after this period of time, then dhcp server will offer the
address to the client or will send DHCPNAK, if the requested address is not available from this
server
after-2sec-delay - to clients request for an address, dhcp server will wait 2 seconds and if
there is another request from the client after this period of time, then dhcp server will offer the
address to the client or will send DHCPNAK, if the requested address is not available from this
server
yes - to clients request for an address that is not available from this server, dhcp server will send
negative acknowledgment (DHCPNAK)
no - dhcp server ignores clients requests for addresses that are not available from this server
delay-threshold (time | none; If secs field in DHCP packet is smaller than delay-threshold, then this packet is ignored. If set to none -
Default: none) there is no threshold (all DHCP packets are processed)
disabled (yes | no; Default: no) Whether DHCPv6 server participate in prefix assignment process.
lease-time (time; Default: 3d) The time that a client may use the assigned address. The client will try to renew this address after a half
of this time and will request a new address after time limit expires.
address-pool (string | static-only; IPv6 pool, from which to take IPv6 prefix for the clients. If set to static-only, then only the clients that
Default: static-only) have a static binding (added in bindings submenu) will be allowed.
interface (string; Default: ) Interface on which server will be running.
name (string; Default: ) Reference name
Read-only Properties
dynamic (yes | no)
invalid (yes | no)
Bindings
Sub-menu: /ipv6 dhcp-server binding
DUID is used only for dynamic bindings, so if it changes then client will receive different prefix than previously.
address (IPv6 prefix; Default: ) IPv6 prefix that will be assigned to the client
comment (string; Default: ) Short description of an item.
disabled (yes | no; Default: no) Whether item is disabled
life-time (time; Default: 3d) Time period after which binding expires/
duid (string; Default: ) DUID value. Should be specified only in hexadecimal format.
iaid (integer [0..4294967295]; Default: )
server (string | all; Default: all) Name of the server. If set to all, then binding applies to all created DHCPv6 servers.
dynamic (yes | no) Whether item is dynamically created.
expires-after (time) Time period after which binding expires.
last-seen (time) Time period since client was last seen.
status (waiting | Three status vales are possible:

offered | bound) waiting - Shown for static bindings if it is not used. For dynamic bindings this status is shown if it was used
previously, server will wait 10 minutes to allow old client to get this binding, otherwise binding will be cleared and
prefix willbe offered to other clients.
offered - if solicit message was received, and server responded with advertise message, but request was not
received. During this state client have 2 minutes to get this binding, otherwise it is freed or changed status to
waiting for static bindings.
bound - currently bound.
For example, dynamically assigned /62 prefix
[admin@RB493G] /ipv6 dhcp-server binding> print detail

0 D address=2a02:610:7501:ff00::/62 duid="1605fcb400241d1781f7" iaid=0
server=local-dhcp life-time=3d status=bound expires-after=2d23h40m10s
last-seen=19m50s
1 D address=2a02:610:7501:ff04::/62 duid="0019d1393535" iaid=2

server=local-dhcp life-time=3d status=bound expires-after=2d23h43m47s
last-seen=16m13s
Menu specific commands
make-static () Set dynamic binding as static.
Configuration Examples
Enabling IPv6 Prefix delegation

Lets consider that we already have running DHCP server.
To enable IPv6 prefix delegation, first we need to create address pool
/ipv6 pool add name=myPool prefix=2001:db8:7501::/60 prefix-length=62
Notice that prefix-length is 62 bits, it means that clients will receive /62 prefixes from the /60 pool.
Next step is to enable DHCPv6.
/ipv6 dhcp-server add name=myServer address-pool=myPool interface=local
To test our server we will set up wide-dhcpv6 on ubuntu machine:

install wide-dhcpv6-client
edit "/etc/wide-dhcpv6/dhcp6c.conf" as above
Note: You can use also RouterOS as DHCPv6-PD client. Read more >>
interface eth2{
send ia-pd 0;
};
id-assoc pd {
prefix-interface eth3{
sla-id 1;
sla-len 2;
};
};
Run DHCPv6 client
sudo dhcp6c -d -D -f eth2
Verify that prefix was added to eth3
mrz@bumba:/media/aaa$ ip -6 addr
..
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:7501:1:200:ff:fe00:0/64 scope global

valid_lft forever preferred_lft forever
inet6 fe80::224:1dff:fe17:81f7/64 scope link
You can make binding to specific client static, so that it always receives the same prefix
[admin@RB493G] /ipv6 dhcp-server binding> print

# ADDRESS DU IAID SER.. STATUS
0 D 2001:db8:7501:1::/62 16 0 loc.. bound
[admin@RB493G] /ipv6 dhcp-server binding> make-static 0
DHCPv6 also installs route to assigned prefix into IPv6 routing table
[admin@RB493G] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
...
2 ADS 2001:db8:7501:1::/62 fe80::224:1dff:fe17:8... 1
Manual:IPv6/Firewall
List of reference sub-pages Case studies List of examples
<splist showparent=yes />

Manual:IPv6/Firewall/Address-list 16
Manual:IPv6/Firewall/Address-list
Manual:IPv6/Firewall/Filter
Applies to RouterOS: v5
Summary
Sub-menu: /ipv6 firewall filter
Properties
action (accept | Action to take if packet is matched by the rule:

add-dst-to-address-list | ...; accept - Accept the packet. It is not passed to the next firewall rule.
Default: accept) add-dst-to-address-list - Add destination address to address list specified by
address-list parameter
add-src-to-address-list - Add source address to address list specified by address-list
parameter
drop -Silently drop the packet.
jump - Jump to the user defined chain specified by the value of jump-target parameter
log - Add a message to the system log containing following data: in-interface, out-interface, src-mac,
protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to the next
rule in the list, similar as passthrough
passthrough - Ignore this rule and go to next one (useful for statistics).
reject - Drop the packet and send an ICMP reject message
return - Passes control back to the chain from where the jump took place.
address-list (; Default: )
time (; Default: )

Manual:IPv6/Firewall/Mangle 17
Manual:IPv6/Firewall/Mangle
Manual:IPv6/ND
Summary
Sub-menu: /ipv6 nd
Standards: RFC 2462, RFC 2461
Package : IPv6
RouterOS has Ipv6 Neighbor Detection and stateless address autoconfiguration support using Router Advertisement
Daemon (RADVD).
Node description
Node is a device that implements IPv6. In IPv6 networks nodes are divided into two types:
Routers - a node that forwards IPv6 packets not explicitly addressed to itself.
Hosts - any node that is not a router.
Routers and hosts are strictly separated, meaning that router cannot be host and host cannot be router at the same
time.
Stateless address autoconfiguration

There are several types of autoconfiguration:
stateless - address configuration is done by received Router Advertisement messages. These messages include
stateless address prefixes and require that host is not using stateful address configuration protocol.
stateful - address configuration is done by using stateful address configuration protocol (DHCPv6). Stateful
protocol is used if RA messages do not include address prefixes.
both - RA messages include stateless address prefixes and require that hosts use a stateful address configuration
protocol.
A highly useful feature of IPv6 is the ability to automatically configure itself without the use of a stateful
configuration protocol like DHCP ( See example).
Note: Address autoconfiguration can only be performed on multicast-capable interfaces.
It is called stateless address autoconfiguration, since there is no need to manage state in the router
side. It is a very simple, robust and effective autoconfiguration mechanism.
RouterOS uses RADVD to periodically advertise information about the link to all nodes on the
same link. The information is carried by ICMPv6 "router advertisement" packet, and includes
following fields:
IPv6 subnet prefix
Default router link local address
Manual:IPv6/ND 18
Other parameters that may be optional: link MTU, default hoplimit, and router lifetime.
Then host catches the advertisement, and configures the global IPv6 address and the default router. Global IPv6
address is generated from advertised subnet prefix and EUI-64 interface identifier.
Optionally, the host can ask for an advertisement from the router by sending an ICMPv6 "router solicitation" packet.
On linux rtsol utility transmits the router solicitation packet. If you are running a mobile node, you may want to
transmit router solicitations periodically.
Note: Due to restrictions of IPv6, address auto-configuration can not be performed on routers. Routers require
manual address configuration.
Address states
When auto-configuration address is assigned it can be in one of the following states:
tentative - in this state host verifies that the address is unique. Verification occurs through duplicate address
detection.
preferred - at this state address is verified as unique and node can send and receive unicast traffic to and from
a preferred address. The period of time of preferred state is included in the RA message.
deprecated - address is still valid, but is not used for new connections.
invalid - node can no longer send or receive unicast traffic. An address enters the invalid state after the valid
lifetime expires.
Image belove ilustrates relation between states and lifetimes.
Neighbor discovery
Sub-menu: /ipv6 nd
In this submenu IPv6 Neighbor Discovery (ND) protocol is configured.
Neighbor Discovery (ND) is a set of messages and processes that determine relationships between neighboring
nodes. ND, compared to IPv4, replaces Address Resolution Protocol (ARP), Internet Control Message Protocol
(ICMP) Router Discovery, and ICMP Redirect and provides additional functionality.
ND is used by hosts to:
Discover neighboring routers.
Discover addresses, address prefixes, and other configuration parameters.
ND is used by routers to:
Advertise their presence, host configuration parameters, and on-link prefixes.
Inform hosts of a better next-hop address to forward packets for a specific destination.
ND is used by nodes to:
Both resolve the link-layer address of a neighboring node to which an IPv6 packet is being forwarded and
determine when the link-layer address of a neighboring node has changed.
Determine whether IPv6 packets can be sent to and received from a neighbor.
Manual:IPv6/ND 19
Properties
advertise-dns (yes | no; Default: no) Option to redistribute DNS server information using RADVD. You will need a running
client side software with Router Advertisement DNS support to take advantage of the
advertised DNS information. Read more >>
advertise-mac-address (yes | no; Default: yes) When set, the link-layer address of the outgoing interface is included in the RA.
disabled (yes | no; Default: no) Whether item is disabled or not. By default entry is enabled.
hop-limit (unspecified | integer[0..4294967295]; The default value that should be placed in the Hop Count field of the IP header for
Default: unspecified) outgoing (unicast) IP packets.
interface (all | string; Default: ) Interface on which to run neighbor discovery.

all - run ND on all running interfaces.
managed-address-configuration (yes | no; Flag indicates whether hosts should use stateful autoconfiguration (DHCPv6) to obtain
Default: no) addresses.
mtu (unspecified | integer[0..4294967295]; Default: The MTU option is used in router advertisement messages to insure that all nodes on a link
unspecified) use the same MTU value in those cases where the link MTU is not well known.
unspecified - do not send MTU option.
other-configuration (yes | no; Default: no) Flag indicates whether hosts should use stateful autoconfiguration to obtain additional
information (excluding addresses).
ra-delay (time; Default: 3s) The minimum time allowed between sending multicast router advertisements from the
interface.
ra-interval (time[3s..20m50s]-time[4s..30m]; min-max interval allowed between sending unsolicited multicast router advertisements
Default: 3m20s-10m) from the interface.
ra-lifetime (none | time; Default: 30m)
reachable-time (unspecified | time[0..1h]; The time that a node assumes a neighbor is reachable after having received a reachability
Default: unspecified) confirmation. Used by the Neighbor Unreachability Detection algorithm (see Section 7.3 of
RFC 2461)
retransmit-interval (unspecified | time; The time between retransmitted Neighbor Solicitation messages. Used by address
Default: unspecified) resolution and the Neighbor Unreachability Detection algorithm (see Sections 7.2 and 7.3
of RFC 2461)
Prefix
Sub-menu: /ipv6 nd prefix
Prefix information sent in RA messages used by stateless address auto-configuration.
Note: The autoconfiguration process applies only to hosts and not routers.
Manual:IPv6/ND 20
Properties
6to4-interface (none | If this option is specified, this prefix will be combined with the IPv4 address of interface name to produce a valid
string; Default: ) 6to4 prefix. The first 16 bits of this prefix will be replaced by 2002 and the next 32 bits of this prefix will be
replaced by the IPv4 address assigned to interface name at configuration time. The remaining 80 bits of the
prefix (including the SLA ID) will be advertised as specified in the configuration file.
autonomous (yes | no; When set, indicates that this prefix can be used for autonomous address configuration. Otherwise prefix
Default: yes) information is silently ignored.
disabled (yes | no; Default: Whether item is disabled or not. By default entry is enabled.
no)
on-link (yes | no; Default: When set, indicates that this prefix can be used for on-link determination. When not set the advertisement makes
yes) no statement about on-link or off-link properties of the prefix. For instance, the prefix might be used for address
configuration with some of the addresses belonging to the prefix being on-link and others being off-link.
preferred-lifetime Timeframe (relative to the time the packet is sent) after which generated address becomes "deprecated".
(infinity | time; Default: 1w) Deprecated is used only for already existing connections and is usable until valid-lifetime expires.
Read more >>
prefix (ipv6 prefix; Default: Prefix from which stateless address autoconfiguration generates the valid address.
::/64)
valid-lifetime (infinity | The length of time (relative to the time the packet is sent) an address remains in the valid state. The
time; Default: 4w2d) valid-lifetime must be greater than or equal to the preferred-lifetime. Read more >>
interface (string; Default: ) Interface name on which stateless auto-configuration will be running.
Examples
Stateless autoconfiguration example

0 G 2001:db8::1/64 ether1 yes
As in example above advertise flag is enabled which indicates that dynamic /ipv6 nd prefix entry is added.
[admin@MikroTik] > ipv6 nd prefix print

Flags: X - disabled, I - invalid, D - dynamic
0 D prefix=2001:db8::/64 interface=ether1 on-link=yes autonomous=yes
valid-lifetime=4w2d preferred-lifetime=1w
On a host that is directly attached to the router we see that an address was added. The address consists of prefix part
(first 64 bits) that takes prefix from the prefix advertisement, and host part (last 64 bits) that is automatically
generated from local MAC address:
atis@atis-desktop:~$ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8::21a:4dff:fe56:1f4d/64 scope global dynamic
Manual:IPv6/ND 21
valid_lft 2588363sec preferred_lft 601163sec

inet6 fe80::21a:4dff:fe56:1f4d/64 scope link
The host has received the 2001:db8::/64 prefix from the router and configured an address with it.
There is also an option to redistribute DNS server information using RADVD:
[admin@MikroTik] > ip dns set server=2001:db8::2

[admin@MikroTik] > ip dns print
servers: 2001:db8::2
...
[admin@MikroTik] > ipv6 nd set [f] advertise-dns=yes
You will need a running client side software with Router Advertisement DNS support to take advantage of the
advertised DNS information.
On Ubuntu/Debian linux distributions you can install rdnssd package which is capable of receiving advertised DNS
address.
mrz@bumba:/$ sudo apt-get install rdnssd
mrz@bumba:/$ cat /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 2001:db8::2
mrz@bumba:/$ ping6 www.mikrotik.com

PING www.mikrotik.com(2a02:610:7501:1000::2) 56 data bytes
64 bytes from 2a02:610:7501:1000::2: icmp_seq=1 ttl=61 time=2.11 ms
64 bytes from 2a02:610:7501:1000::2: icmp_seq=2 ttl=61 time=1.33 ms
^C
--- www.mikrotik.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.334/1.725/2.117/0.393 ms
mrz@bumba:/$
See Also
http://www.tcpipguide.com/free/t_IPv6Addressing.htm
Manual:IPv6/Neighbors 22
Manual:IPv6/Neighbors
Summary
Sub-menu: /ipv6 neighbor
Standards: RFC 2461
Package : IPv6
List of all discovered nodes by IPv6 neighbor discovery protocol (neighbor cache).
[admin@test_host] /ipv6 neighbor> print

Flags: R - router
0 address=ff02::5 interface=main mac-address=33:33:00:00:00:05 status="noarp"
1 address=ff02::1 interface=main mac-address=33:33:00:00:00:01 status="noarp"
2 R address=fe80::d7:4cff:fec1:2e32 interface=main mac-address=00:0C:42:28:79:45

status="stale"
Read more about ND >>
Read-only Properties
address (ipv6 address) link-local address of the node.
comment (string)
inteface (string) Interface on which node was detected.
mac-address (string) Mac address of discovered node.
router (yes | no) Whether discovered node is router
status (noarp | incomplete | stale Status of the cached entry:

| reachable | delay | probe) noarp -
incomplete - address resolution is in progress and the link-layer address of the neighbor has not yet been
determined;
reachable - the neighbor is known to have been reachable recently (within tens of seconds ago);
stale - the neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt
should be made to verify its reachability;
delay - the neighbor is no longer known to be reachable, and traffic has recently been sent to the
neighbor, probes are delayed for a short period in order to give upper layer protocol a chance to provide
reachability confirmation;
probe - the neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are
being sent to verify reachability.
Manual:IPv6/Pool 23
Manual:IPv6/Pool
Applies to RouterOS: v5.7+
Summary
Sub-menu: /ipv6 pool
Standards:
Package : IPv6
IPv6 pools are used to define range of IPv6 addresses that is used for DHCPv6 server and Point-to-Point servers
IPv6 pools simply group IPv6 addresses for further usage. It is a single configuration point for all features that assign
IPv6 addresses to clients.
Pool Configuration
name (string; Default: ) Descriptive name of the pool.
prefix (IPv6/0..128; Default: ) Ipv6 address prefix
prefix-length (integer [1..128]; Default: ) Option represents the prefix size that will be give out to the client.
dynamic (yes | no) Whether pool is dynamic.
id (integer)
expire-time (time) Expire time is set to dynamic pools added by DHCPv6 client.
Example
Define a pool named "test" with prefix "2001::/64":
[admin@test-host] /ipv6 pool> add

name: test
prefix: 2001::/60
prefix-length: 62
[admin@test-host] /ipv6 pool> print
0 test 2001::/60 62bits
[admin@test-host] /ipv6 pool>
Manual:IPv6/Pool 24
Used Addresses from Pool

Sub-menu: /ipv6 pool used
In this menu you can see all used IPv6 addresses from the pools.
All properties are read-only.
info (string) Shows DUID related information received from client (value in hex).Can contain also raw timestamp in hex.
owner (string) What reserved the prefix ("DHCP", etc.)
pool (string) Name of the pool.
prefix (IPv6/0..128) IPv6 prefix that is assigned to client form the pool.
Manual:IPv6/Route
Summary
Sub-menu: /ipv6 route
Standards: RFC 4291
For static routing, the basic principles of IPv6 are exactly the same as for IPv4.
Simple ipv6 routing example:
[admin@MikroTik] > ipv6 route add dst-address=2001::/16 gateway=fc00:dead:beef::2

[admin@MikroTik] > ipv6 route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
0 A S dst-address=2001::/16 gateway=fc00:dead:beef::2 reachable ether1 distance=1
scope=30 target-scope=10
Most notable difference between ipv4 and ipv6 is that link local addresses can be used as route nexthops if interface
is specified:
[admin@MikroTik] > ipv6 route add dst-address=2002::/16 gateway=fe80::21a:4dff:fe56:1f4d%ether1
[admin@MikroTik] > ipv6 route print detail
...
1 A S dst-address=2002::/16
gateway=fe80::21a:4dff:fe56:1f4d%ether1 reachable distance=1
scope=30 target-scope=10
Another small difference is that there are no blackhole or prohibit routes, only unreachable.
IPv4 and IPv6 routing also differs in the area of multipath route. Technically speaking, in Linux kernel there is no
support for multiple nexthops for a IPv6 route. However, RouterOS allows to set more than one gateway address for
a single route. In this case, a route is installed in the kernel for each of the different interfaces to which route's
nexthops belong.
Example:
[admin@MikroTik] > ipv6 address p

0 G fc00:1::1/64 ether1 no
1 G fc00:2::1/64 ether2 no
[admin@MikroTik] > ipv6 route add dst-address=2001::/16 gateway=fc00:1::2,fc00:2::2
[admin@MikroTik] > ipv6 route print
0 A S 2001::/16 fc00:2::2 reachable ether1, 1
fc00:1::2 reachable ether2
When printing the Linux kernel route table, we see that two routes were added, not one:
# ip -6 route
2001::/16 via fc00:2::2 dev eth1 proto static metric 1024 mtu 1500 advmss 1440 metric10 4294967295
2001::/16 via fc00:1::2 dev eth0 proto static metric 1024 mtu 1500 advmss 1440 metric10 4294967295
...
Properties
bgp-as-path (list of AS numbers; Value of BGP AS_PATH attribute. Read more>>

Default: )
bgp-atomic-aggregate (yes |
no; Default: )
bgp-communities (list of two Value of BGP communities list. This attribute can be used to group or filter routes. Named values have
integers separated by :; Default: ) special meanings:
internet - advertise this route to the Internet community (i.e. all routers)
no-advertise - do not advertise this route to any peers
no-export - do not advertise this route to EBGP peers
local-as - same as no-export, except that route is also advertised to EBGP peers inside local
confederation
bgp-local-pref (integer; Default: Value of BGP LOCAL_PREF attribute. Read more>>

100)
bgp-med (integer; Default: 0) Value of BGP MULTI_EXIT_DISC BGP attribute. Read more>>
bgp-origin (igp | egp | incomplete; Value of BGP ORIGIN attribute. Read more>>
Default: )
bgp-prepend (integer [0..16]; How many times to prepend router's own AS number to AS_PATH attribute when announcing route via
Default: ) BGP. Affects only routes sent to eBGP peers (for iBGP value 0 is always used). Read more>>
check-gateway (ping | arp; Periodically (every 10 seconds) check gateway by sending either ICMP echo request (ping) or ARP
Default: ) request (arp). If no response from gateway is received for 10 seconds, request times out. After two
timeouts gateway is considered unreachable. After receiving reply from gateway it is considered reachable
and timeout counter is reset.
disabled (yes | no; Default: yes) Whether interface is disabled or not. By default it is disabled.
distance (integer; Default: ) Value used in route selection. Routes with smaller distance value are given preference. If value of this
property is not set, then the default depends on route protocol:
connected routes: 0
static routes: 1
eBGP: 20
OSPF: 110
RIP: 120
MME: 130
iBGP: 200
dst-address (IPv6/Netmask; IPv6 prefix of route, specifies destination addresses that this route can be used for. Netmask (integer
Default: ::/0) [0..128]) part of this property specifies how many of the most significant bits in packet destination address
must match this value. If there are several active routes that match destination address of packet, then the
most specific one (with largest netmask value) is used.
gateway (ipv6 address[,ipv6 Specifies which host or interface packets should be sent to. Link Local addresses can also be used as
address[,..]]; Default: ) gateways if interface is specified. Read more>>
route-tag (integer; Default: ) Value of route tag attribute for RIP or OSPF. For RIP only values 0..65535 are valid.
scope (integer [0..255]; Default: ) Used in nexthop resolution. Route can resolve nexthop only through routes that have scope less than or
equal to the target-scope of this route. Default value depends on route protocol:
connected routes: 10 (if interface is running)
OSPF, RIP, MME routes: 20
static routes: 30
BGP routes: 40
connected routes: 200 (if interface is not running)
target-scope (integer [0..255]; Used in nexthop resolution. This is the maximum value of scope for a route through which a nexthop of
Default: 10 (30 for iBGP)) this route can be resolved. See nexthop lookup.
type (unicast | unreachabe; Default: Routes that do not specify nexthop for packets, but instead perform some other action on packets have type
unicast) different from the usual unicast.
active (yes | no) Whether route is currently active and is used for packet forwarding.
bgp (yes | no) BGP route
bgp-weight (integer) BGP weight attribute
connect (yes | no) Directly connected route
dynamic (yes | no) Dynamically added route
gateway-status ()
ospf (yes | no) OSPF route
ospf-metric (integer)
ospf-type (external-type-1 | intra-area | Type of the OSPF route

...)
received-from (string) Name of the BGP peer from which this route was received.
rip (yes | no) RIP route
static (yes | no) Statically added route by user.
unreachable (yes | no) Discard packet forwarded by this route. Notify sender with ICMP host unreachable (type 3 code 1)
message.
See Also
Ipv4 Routing and route selection
Simple IPv6 routing example
Manual:IPv6/Settings
Applies to RouterOS: v6+
Summary
Sub-menu: /ipv6 settings
IPv6 Settings allows to configure several IPv6 related kernel parameters.
Properties
forward (yes | no; Default: yes) Emable/disable packet forwarding between interfaces.
accept-redirects (no | yes-if-forwarding-disabled; Default: Whether to accept ICMP redirect messages. Typically should be
yes-if-forwarding-disabled) enabled on host and disabled on routers.
accept-router-advertisements (no | yes | Accept router advertisement (RA) messages. If enabled router will
yes-if-forwarding-disabled; Default: yes-if-forwarding-disabled) be able to get address using stateless address configuration

Manual:IPv6 Overview
Applies to RouterOS: v3beta10+, v4, v5+
IPv6 overview
Package requirement: ipv6
Internet Protocol version 6 (IPv6) is the new version of the Internet Protocol (IP). It was initially expected to replace
IPv4 in short enough time, but for now it seems that these two version will coexist in Internet in foreseeable future.
Nevertheless, IPv6 becomes more important, as the date of unallocated IPv4 address pool's exhaustion approaches.
The two main benefits of IPv6 over IPv4 are:
much larger address space;
support of stateless and statefull address autoconfiguration;
built-in security;
new header format (faster forwarding).
Supported programms
MikroTik IPv6 support at the moment:
DHCPv6 prefix delegation for DHCP server.
DHCPv6-PD client.
IPv6 Prefix Delegation over PPP interfaces.
static addressing and routing;
router advertisement daemon (for address autoconfiguration);
dynamic routing: BGP+, OSPFv3, and RIPng protocols;
firewall (filter, mangle, address lists, connection table);
queue tree, simple queue, pcq;
DNS name servers;
6in4 (SIT) tunnels;
EoIPv6, ip/ipv6 over ipv6 (IPIPv6) tunnel interface (starting from v5RC6)
IPSEC;
VRRPv3;
all PPP (Point-to-point protocols);
SSH, telnet, FTP, WWW access, Winbox, API;
ping;
traceroute;
web proxy;
sniffer and fetch tools;
IP services and User allowed IPv6 address support;
torch, bandwidth test and other tools;
Features not yet supported:
automatic tunnel creation;
policy routing;
multicast routing;
MPLS;
Addressing
IPv6 uses 16 bytes addresses compared to 4 byte addresses in IPv4. IPv6 address syntax and types are described in
RFC 4291.
Read more>>
Stateless Autoconfiguration
Read more >>
Routing
For static routing, the basic principles of IPv6 are exactly the same as for IPv4. Read more >>
Note: Link local addresses are required for dynamic routing protocols to function!
Warning: All dynamic routing protocols also require a valid Router ID to function. If the Router ID is not
configured manually, one of router's IPv4 addresses are used as the Router ID. If no IPv4 addresses are
present, the router ID selection process will fail. This means that dynamic routing will not work on a router
that has no IPv4 addresses, unless you configure the Router ID manually!
BGP
Because of it's design BGP naturally supports multiple address families, and migration to IPv6 is straightforward
here.
Example: configure iBGP between routers A and B, AS 65000, that will exchange IPv4 and IPv6 routes.
Router A:
[admin@A] > routing bgp peer add remote-address=10.0.0.134 remote-as=65000 address-families=ip,ipv6
Router B:
[admin@B] > routing bgp peer add remote-address=10.0.0.133 remote-as=65000 address-families=ip,ipv6
Redistribute a route from router A to router B:
[admin@A] > ipv6 route add dst-address=2001::/16 gateway=fe80::1%ether1

[admin@A] > routing bgp network add network=2001::/16
[admin@A] > routing bgp advertisements print
PEER PREFIX NEXTHOP AS-PATH ORIGIN LOCAL-PREF
peer1 2001::/16 fe80::1200:ff... igp 100
[admin@B] > ipv6 route print


0 ADb 2001::/16 fe80::1200:ff:fe00:10... 200
IPv6 addresses can also be used in peer configuration in remote-address and update-source fields - to make a BGP
connection over IPv6.
OSPF
Unlike to BGP, adding IPv6 support to OSPF required a lot of changes and resulted in a new, incompatible, version
of OSPF: protocol version 3. (For IPv4, OSPF version 2 is used). The new version is described in RFC 2740.
OSPFv3 uses the same fundamental mechanisms as OSPFv2 LSAs, flooding, the SPF algorithm, etc. However, it
adds not only support to a new address family, but also some improvements to the protocol itself. The new version
avoids some potential problems and inefficiencies present in the operation of OSPFv2.
OSPFv3 configuration syntax largely remains the same as for OSPFv2. One mayor difference is that there is no
configuration for networks anymore, and interface configuration becomes mandatory, since OSPFv3 runs on link,
not IP subnet, basis.
Example:
Configure OSPF on router A:
[admin@A] > routing ospf-v3 interface add interface=ether1 area=backbone
Configure OSPF on router B:
[admin@B] > routing ospf-v3 interface add interface=ether1 area=backbone

[admin@A] > routing ospf-v3 instance set default redistribute-static=as-type-1
[admin@A] > routing ospf-v3 route print
# DESTINATION STATE COST
0 2001::/16 imported-ext-1 20

0 ADo 2001::/16 fe80::1200:ff:fe00:10... 110
RIP
Similarly to OSPF, a new version of RIP was required to add IPv6 support. The new version is called RIPng (RIP
new generation) and described in RFC 2080. Just like OSPFv3, RIPng runs on link, not IP subnet, basis - this means
that you need to configure interfaces, not IP networks, on which to run RIPng.
Example:
Configure RIP on router A:
[admin@A] > routing ripng interface add interface=ether1
Configure RIP on router B:
[admin@B] > routing ripng interface add interface=ether1


[admin@A] > routing ripng set redistribute-static=yes
[admin@A] > routing ripng route print
Flags: C - connect, S - static, R - rip, O - ospf, B - bgp
# DST-ADDRESS
0 S 2001::/16

0 ADr 2001::/16 fe80::1200:ff:fe00:10... 120
6to4 (6in4) tunnels

This describes solution using global 6to4 relay address. For a solution using a tunnel broker see Setting up an IPv6
tunnel via a tunnel broker.
First, you will need a global routable IPv4 address. We assume the address 1.2.3.4 for the sake of this example.
Then you need to make user that the global 6to4 relay anycast address 192.88.99.1 is reachable and that it really
provides relay services (since it's anycast address, your connection should be routed to the host having this addresses
that is the closest to your location).
Then add 6to4 interface without specifying remote address and using your global IPv4 address as local-address:
interface 6to4 add mtu=1280 local-address=1.2.3.4 disabled=no
Now you need to add a IPv6 address to the tunnel interface. The address should be in form "2002 + <IPv4 address
in hex> + <custom id>" . A bash script can be used to generate such IPv6 address for you:
atis@atis-desktop:~$ ipv4="1.2.3.4"; id="1"; printf "2002:%02x%02x:%02x%02x::$id\n"

`echo $ipv4 | tr "." " "`
2002:0102:0304::1
Add the generated address to the 6to4 interface:
ipv6 address add address=2002:0102:0304::1/128 interface=sit1
Add route to global IPv6 Internet through the tunnel interface using the anycast IPv4 address:
ipv6 route add dst-address=2000::/3 gateway=::192.88.99.1,sit1
Syntax for RouterOS v4.x, or RouterOS 3.x with routing-test:
ipv6 route add dst-address=2000::/3 gateway=::192.88.99.1%sit1
Now try to ping some IPv6 host (e.g. ipv6.google.com, 2001:4860:a003::68) to check your IPv6 connectivity.
See also 6in4 [1] and 6to4 [2] in Wikipedia.
Using dual stack

All IP services that listen to IPv6 also accept IPv4 connections. We take the web proxy for an example.
To force the web proxy to listen to IPv6 connections:
/ip proxy set src-address=::
To demonstrate that the dual stack is working, we connect to the web proxy at 10.0.0.131/fc00:1::1 using telnet,
issue "GET /" request, and observe generated error message.
Connecting via IPv4:
$ telnet 10.0.0.131 8080

Trying 10.0.0.131...
Connected to 10.0.0.131.
Escape character is '^]'.
GET /
HTTP/1.0 404 Not Found

Content-Length: 518
...
Generated Mon, 18 Dec 2006 12:40:03 GMT by 10.0.0.131 (Mikrotik HttpProxy)
Connecting via IPv6:
$ telnet -6 fc00:1::1 8080

Trying fc00:1::1...
Connected to fc00:1::1.
GET /
HTTP/1.0 404 Not Found

Content-Length: 525
...
Generated Mon, 18 Dec 2006 12:38:51 GMT by ::ffff:10.0.0.131 (Mikrotik HttpProxy)
References
[1] http:/ / en. wikipedia. org/ wiki/ 6in4
[2] http:/ / en. wikipedia. org/ wiki/ 6to4
Manual:Simple Static IPv6 Routing

Introduction
Lets make a simple routing setup illustrated in image below
Lets consider ISP is giving us prefix 2001:db8::/62 and prefix is routed to us with link-local address (fe80::1:1).
Ether1 of Router1 is connected to ISP and will be the gateway of our networks. Router2 is connected to ether2 of
Router1 and will act as a gateway for clients connected to it from LAN2. Router1 also connects one client to ether3.
Our goal is to create setup so that clients from LAN1 can reach clients from LAN2 and all of them can connect to the
internet.
Configuration
At first we need to find what link-local addresses are on Router1 and on Router's 2 ether1 for routing. We can do
IPv6 routing without globally configuring addresses on every link that way addresses are not wasted. In current setup
there is no global addresses even between ISP and our gateway.



Now we can start configuration.

Router1
/ipv6 address
add address=2001:db8:1::1/64 interface=ether3 advertise=yes
/ipv6 route
add gateway=fe80::1:1%ether1
add dst-address=2001:db8:2::/64 gateway=fe80::219:d1ff:fe39:3535%ether2
Router2
/ipv6 address
add address=2001:db8:2::1/64 interface=ether2 advertise=yes
/ipv6 route
add gateway=fe80::219:d1ff:fe00:3512%ether1
Notice how link local addresses are configured as gateways. We provide directly connected neighbour routers
link-local address and explicitly specify on which interface ll address is reachable.
Added global addresses are with advertise flag meaning that RA will be used to automatically configure IPv6
addressing on the client PCs. Read more>>
That is all required configuration. At this point all clients are directly reachable from remote locations.
Note: Since IPv6 does not have NAT all clients have direct connection to the Internet. IPv6 firewall rules are
required to protect the clients from unwanted access or attacks
See Also
IPv6 routing example with tunnel broker
Manual:My First IPv6 Network

Summary
This example demonstrates how to set up your first IPv6 network using tunnel broker's provided service.
Application Example
Consider following network setup:
Our main gateway (R1) has only IPv4 internet connectivity and ISP is not providing IPv6 services. Our network
consists of two isolated network segments Lan1 and Lan2.
To enable IPv6 we will need to create a tunnel to IPv6 tunnel broker which will transit our IPv6 traffic over IPv4
network.
Tunnel broker
In this example we will use Hurricane Electric tunnel broker services [1].
After registration click on "Create regular tunnel", enter your IP address and choose closest server to your location.
That's it tunnel is now allocated.
Now go to tunnel details, where you will see all the parameters for successful tunnel creation and allocated IPv6
address block. As we have two separate lan segments we will need /48 address block, allocate it by clicking on
"allocate".
Configuration
Here is whole configurations for those who want to copy&paste.
R1:
# ipv4 connectivity to ISP
/ip address
add address=194.105.56.170/24 interface=ether1
/ip route
add gateway=194.105.56.1
# ipv6 service
/interface 6to4
add comment="HE IPv6" local-address=194.105.56.170 mtu=1280 name=sit1 remote-address=\
216.66.80.90
/ipv6 address
add address=2001:470:27:37e::2/64 advertise=no eui-64=no interface=sit1
/ipv6 route
add dst-address=::/0 gateway=2001:470:27:37e::1
#Lan1
/ipv6 address
add address=2001:470:dcd9:1::1/64 advertise=yes interface=ether3
# routing between segments

/routing ospf-v3 instance
set default router-id=10.10.10.1 distribute-default=if-installed-as-type-1 \
redistribute-connected=as-type-1
/routing ospf-v3 interface

add area=backbone interface=ether2
R2:
#Lan2
/ipv6 address
# routing between segments

set default router-id=10.10.10.2 redistribute-connected=as-type-1

IPv4 connectivity
IPv4 connectivity is needed only between ISP and our main gateway (R1), as our home network is going to be purely
IPv6.
Set up ip address and route on R1:
/ip address
add address=194.105.56.170/24 interface=ether1
/ip route
add gateway=194.105.56.1
IPv6 tunnel service

Lets create 6to4 tunnel using parameters from HE provided tunnel details:
/interface 6to4
add comment="HE IPv6" local-address=194.105.56.170 mtu=1280 name=sit1 remote-address=\
216.66.80.90
Add provided IPv6 address and default route to tunnel broker.
/ipv6 address
add address=2001:470:27:37e::2/64 advertise=no eui-64=no interface=sit1
/ipv6 route
add dst-address=::/0 gateway=2001:470:27:37e::1
At this point router should be capable of reaching any IPv6 destination.

Lan segment address blocks

Next, we need to assign a subnet address from the /48 address block to two of our ethernet segments. Since the prefix
length for IPv6 subnet is always /64, we have 65536 subnets available from /48 address block! Let's just assign
2001:470:dcd9:1::/64 to Lan1, and 2001:470:dcd9:2::/64 to Lan2.
R1:
#Lan1
/ipv6 address
R2:
#Lan2
/ipv6 address
Notice, that advertise flag is enabled. It means that Stateless auto configuration is enabled and absolutely no address
configuration is required on client side.
Routing between segments

We will use OSPF as the routing protocol between both routers. Notice that in IPv6 network additional addresses
between routers are not required. Link-local addresses are used for connectivity between routers.
R1:

set default router-id=10.10.10.1 distribute-default=if-installed-as-type-1 \
redistribute-connected=as-type-1

R2:

set default router-id=10.10.10.2 redistribute-connected=as-type-1

When configuring OSPF on a network without configured IPv4, important configuration part is to set up router-id.
Wen this parameter is not set, OSPF will try to get it from configured IPv4 addresses, if IPv4 address are missing
process will fail and OSPF will not work.
At this point both LAN segments can reach Ipv6 Global network routed over 6to4 tunnel.
See Also
Simple IPv6 routing example
References
[1] http:/ / www. tunnelbroker. net/
Manual:OSPFv3 with Quagga

In this example we demonstrate interoperability of MikroTik 3.x with Quagga in multi-area OSPF setup with load
balancing.
RouterOS version 3.16 and Quagga 0.99.11 are used respectively.
Router A
/ipv6 address
add address=2003::1:0:0:0:1/64 advertise=no interface=ether2
add address=2003::1/64 advertise=no interface=ToInternet

/routing ospf-v3
set router-id=0.0.0.1 distribute-default=always-as-type-1

add interface=ether1 area=backbone
Router B
/ipv6 address

/routing ospf-v3
set router-id=0.0.0.2
/routing ospf-v3 area
add area-id=0.0.0.1 name=area1
add interface=ether2 area=area1
Quagga Router
debian:~# ip -6 addr add 2003:0:0:3::4/64 dev eth1
debian:~# ip -6 addr add 2003:0:0:4::4/64 dev eth2
debian:~#
debian:~# cat /etc/quagga/ospf6d.conf
...
interface eth1
ipv6 ospf6 cost 10

interface eth2
ipv6 ospf6 cost 10

router ospf6
router-id 0.0.0.4
interface eth1 area 0.0.0.1
interface eth2 area 0.0.0.0

debian:~# telnet ::1 2606
Hello, this is Quagga (version 0.99.11).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

...

quagga# show ipv6 ospf6 route
*N E1 ::/0 fe80::1200:ff:fe00:100 eth2 00:33:50
*N IA 2003:0:0:1::/64 fe80::1200:ff:fe00:100 eth2 00:32:55
*N IE 2003:0:0:2::/64 fe80::1200:ff:fe00:100 eth2 00:02:44
*N IA 2003:0:0:2::/64 fe80::1200:ff:fe00:301 eth1 00:02:37
*N IE 2003:0:0:3::/64 fe80::1200:ff:fe00:100 eth2 00:02:39
N IA 2003:0:0:3::/64 :: eth1 00:02:46
*N IA 2003:0:0:4::/64 :: eth2 00:33:50
Router C
/ipv6 address

/routing ospf-v3
set router-id=0.0.0.3
/routing ospf-v3 area
add area-id=0.0.0.1 name=area1

[admin@C] /routing ospf-v3> route print
# DESTINATION STATE COST
0 ::/0 ext-1 21
1 2003::1:0:0:0:0/64 inter-area 20
2 2003::2:0:0:0:0/64 intra-area 10
3 2003::3:0:0:0:0/64 intra-area 10
4 2003::4:0:0:0:0/64 inter-area 20

[admin@C] /routing ospf-v3> route print detail
0 destination=::/0 state=ext-1 gateway=fe80::1200:ff:fe00:201,fe80::1200:ff:fe00:ff00
interface=ether1,ether2 cost=21 area=external

1 destination=2003::1:0:0:0:0/64 state=inter-area gateway=fe80::1200:ff:fe00:201
interface=ether1 cost=20 area=area1

2 destination=2003::2:0:0:0:0/64 state=intra-area gateway=:: interface=ether1 cost=10
area=area1

3 destination=2003::3:0:0:0:0/64 state=intra-area gateway=:: interface=ether2 cost=10
area=area1

4 destination=2003::4:0:0:0:0/64 state=inter-area gateway=fe80::1200:ff:fe00:ff00
interface=ether2 cost=20 area=area1
Ping an "Internet" address from Router C (traffic will go through ECMP route):
[admin@C] > /ping 2003::1

2003::1 64 byte ping: ttl=63 time=20 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 9/13.2/20 ms

[admin@C] > /tool traceroute 2003::1
ADDRESS STATUS
1 2003::2:0:0:0:2 19ms 7ms 15ms
2 2003::1 13ms 13ms 12ms
Manual:Creating IPv6 loopback address

In some cases it is necessary to have a kind of loopback interface. It can be used to hold addresses that belong to the
"router itself" and not to any particular outgoing interface. Such addresses are useful, for example, as source
addresses for TCP connections between two routers that have more that one physical interfaces between them.
In MT RouterOS the recommended way to add a loopback interface for IPv4 is to create a new empty bridge
interface:
/interface bridge add name=lobridge

# loopback address
/ip address add address=10.0.0.1/24 interface=lobridge
However, for IPv6 this won't work.

Empty bridge interface has zero MAC byte default. MT RouterOS does not generate IPv6 link-local addresses on
interfaces with zero MAC address (because of high address collision probability).
Since IPv6 link-local address is needed for IPv6 to function properly on an interface, this means that by default the
empty bridge interface cannot be used as IPv6 loopback interface.
Recommended solution
Add an empty bridge, and specify bridge MAC address manually:
/interface bridge add name=lobridge auto-mac=no admin-mac=01:00:00:00:01:00

# loopback address
/ipv6 address add address=2003::1/64 advertise=no interface=lobridge
Alternative solution is to use a fake EoIP tunnel interface instead of bridge. A random MAC address will be
generated in this case.
Results
Test that you are able to ping the loopback address:
/ping 2003::1
Article Sources and Contributors 43
Article Sources and Contributors

Manual:IPv6/Address Source: http://wiki.mikrotik.com/index.php?oldid=23735 Contributors: Marisb
Manual:IPv6/DHCP Client Source: http://wiki.mikrotik.com/index.php?oldid=24325 Contributors: Janisk, Marisb
Manual:IPv6/DHCP Server Source: http://wiki.mikrotik.com/index.php?oldid=25891 Contributors: Marisb
Manual:IPv6/Firewall Source: http://wiki.mikrotik.com/index.php?oldid=17674 Contributors: Marisb
Manual:IPv6/Firewall/Address-list Source: http://wiki.mikrotik.com/index.php?oldid=17645 Contributors: Marisb
Manual:IPv6/Firewall/Filter Source: http://wiki.mikrotik.com/index.php?oldid=23201 Contributors: Marisb
Manual:IPv6/Firewall/Mangle Source: http://wiki.mikrotik.com/index.php?oldid=17644 Contributors: Marisb
Manual:IPv6/ND Source: http://wiki.mikrotik.com/index.php?oldid=20511 Contributors: Janisk, Marisb
Manual:IPv6/Neighbors Source: http://wiki.mikrotik.com/index.php?oldid=19435 Contributors: Marisb
Manual:IPv6/Pool Source: http://wiki.mikrotik.com/index.php?oldid=22676 Contributors: Marisb
Manual:IPv6/Route Source: http://wiki.mikrotik.com/index.php?oldid=23740 Contributors: Marisb
Manual:IPv6/Settings Source: http://wiki.mikrotik.com/index.php?oldid=25788 Contributors: Marisb
Manual:IPv6 Overview Source: http://wiki.mikrotik.com/index.php?oldid=22697 Contributors: Janisk, Marisb, Route
Manual:Simple Static IPv6 Routing Source: http://wiki.mikrotik.com/index.php?oldid=23743 Contributors: Marisb
Manual:My First IPv6 Network Source: http://wiki.mikrotik.com/index.php?oldid=23739 Contributors: Marisb
Manual:OSPFv3 with Quagga Source: http://wiki.mikrotik.com/index.php?oldid=17612 Contributors: Janisk, Marisb, Route
Manual:Creating IPv6 loopback address Source: http://wiki.mikrotik.com/index.php?oldid=17556 Contributors: Janisk, Marisb, Route
Image Sources, Licenses and Contributors 44
Image Sources, Licenses and Contributors

Image:Version.png Source: http://wiki.mikrotik.com/index.php?title=File:Version.png License: unknown Contributors: Normis
Image:Icon-note.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-note.png License: unknown Contributors: Marisb, Route
File:ipv6eui64.png Source: http://wiki.mikrotik.com/index.php?title=File:Ipv6eui64.png License: unknown Contributors: Marisb
File:ipv6-simple-address-example.png Source: http://wiki.mikrotik.com/index.php?title=File:Ipv6-simple-address-example.png License: unknown Contributors: Marisb
File:dhcpv6-pd-example.png Source: http://wiki.mikrotik.com/index.php?title=File:Dhcpv6-pd-example.png License: unknown Contributors: Marisb
File:ipv6-lifetime.png Source: http://wiki.mikrotik.com/index.php?title=File:Ipv6-lifetime.png License: unknown Contributors: Marisb
Image:Icon-warn.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-warn.png License: unknown Contributors: Marisb, Route
Image:simple-ipv6-routing.png Source: http://wiki.mikrotik.com/index.php?title=File:Simple-ipv6-routing.png License: unknown Contributors: Marisb
File:First-IPv6-example.png Source: http://wiki.mikrotik.com/index.php?title=File:First-IPv6-example.png License: unknown Contributors: Marisb
File:Tunnel-broker.png Source: http://wiki.mikrotik.com/index.php?title=File:Tunnel-broker.png License: unknown Contributors: Marisb
Image:ospfv3_setup.png Source: http://wiki.mikrotik.com/index.php?title=File:Ospfv3_setup.png License: unknown Contributors: Route

Mikrotik - IPv6 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mikrotik - IPv6 PDF

Uploaded by

Copyright:

Available Formats

Contents

0010000000000001 0000010001110000 0001111100001001 0000000100110001

Special purpose address

mrz@bumba:/media/aaa/ver$ ping6 ff02::1%eth0

discover all routers

mrz@bumba:/media/aaa/ver$ ping6 ff02::2%eth0

[admin@MikroTik] > ipv6 address add address=fc00:3::/64 interface=ether3 eui-64=yes

comment (string; Default: ) Descriptive name of an item

disabled (yes | no; Whether address is disabled or not. By default it is disabled

interface (string; Name of an interface on which Ipv6 address is set.

dynamic (yes | no) Whether address is dynamically created

global (yes | no) Whether address is global

invalid (yes | no)

link-local (yes | no) Whether address is link local

Manual address configuration

Check address list

[admin@R1] /ipv6 address> print

[admin@R1] /ipv6 address> /ping 2001:DB8::2

[ Top | Back to Content ]

Quick setup example

/ipv6 dhcp-client add pool-name=test-ipv6 pool-prefix-length=64 interface=ether13

[admin@x86-test] /ipv6 dhcp-client> print detail

comment (string; Default: ) Short description of the client

disabled (yes | no; Default: no)

interface (string; Default: ) Interface on which DHCPv6 client will be running.

dynamic (yes | no)

invalid (yes | no) Shows whether configuration is invalid.

[admin@t36] /interface> :put [find name="pppoe-out1"]

Now convert hex value 15 to decimal and you get IAID=21

Menu specific commands

release Release current binding and restart DHCPv6 client

Use received prefix for local RA

ISP is routing prefix 2001:DB8::/62 to the router R1

Check the status

[admin@CE1] /ipv6 dhcp-client> print

[admin@CE1] /ipv6 dhcp-client> /ipv6 pool print

[admin@CE1] /ipv6 address> print

And pool usage shows that 'Address' is allocating the pool

[admin@CE1] /ipv6 pool used> print

[ Top | Back to Content ]

interface (string; Default: ) Interface on which server will be running.

name (string; Default: ) Reference name

dynamic (yes | no)

invalid (yes | no)

comment (string; Default: ) Short description of an item.

disabled (yes | no; Default: no) Whether item is disabled

iaid (integer [0..4294967295]; Default: )

dynamic (yes | no) Whether item is dynamically created.

expires-after (time) Time period after which binding expires.

last-seen (time) Time period since client was last seen.

status (waiting | Three status vales are possible:

For example, dynamically assigned /62 prefix

[admin@RB493G] /ipv6 dhcp-server binding> print detail

1 D address=2a02:610:7501:ff04::/62 duid="0019d1393535" iaid=2

Menu specific commands

make-static () Set dynamic binding as static.

Enabling IPv6 Prefix delegation

/ipv6 pool add name=myPool prefix=2001:db8:7501::/60 prefix-length=62

/ipv6 dhcp-server add name=myServer address-pool=myPool interface=local

To test our server we will set up wide-dhcpv6 on ubuntu machine:

Run DHCPv6 client

sudo dhcp6c -d -D -f eth2

Verify that prefix was added to eth3